News: This forum is now permanently frozen.
linktree m0n0wall Forum  >  m0n0wall Support (English)  >  Firewall/NAT
linktree Topic: Traffic from LAN to OPT1 allowed straight through.
Pages: [1]
Topic: Traffic from LAN to OPT1 allowed straight through.  (Read 2623 times)
« on: August 19, 2009, 00:52:59 »
bassreflex *
Posts: 14
I have the following setup:

Wan: ISP IP
Lan: 192.168.1.x
Guest Lan: 192.168.2.x

Under guest lan (opt1) I have a firewall rule setup that is to block:

Block any port, any protocol, any source, any destination

I am still able to ping computer 192.168.2.100 from 192.168.1.100.  What is going on with this?

In LAN I have the default rule:

Allow any protocol,  LAN NET Source,  Any port, Any destination, any port



Help understanding this would be greatly appreciated.

Thank you in advance.
« Last Edit: August 19, 2009, 17:10:08 by bassreflex »
« Reply #1 on: August 19, 2009, 03:16:28 »
gus *
Posts: 27
That is correct for those rules.

on the Lan you need this rule:
Block: any, LAN, Any, OPT1, any
this will block all traffic from your lan to the guest

currently if you plug into your guest lan, you won't get anywhere since you are blocking all connections going out. 

you can ping from your lan because it is allowed on the lan, and the firewall will always allow the return traffic since an allow initiated the connection.
« Reply #2 on: August 19, 2009, 04:39:57 »
bassreflex *
Posts: 14
Quote from: gus on August 19, 2009, 03:16:28
That is correct for those rules.

on the Lan you need this rule:
Block: any, LAN, Any, OPT1, any
this will block all traffic from your lan to the guest

currently if you plug into your guest lan, you won't get anywhere since you are blocking all connections going out. 

you can ping from your lan because it is allowed on the lan, and the firewall will always allow the return traffic since an allow initiated the connection.

Just added the rule you had above and ping is still going through.  And also, With block all on the Opt1 interface IT can get to everything still.  its almost like the rules just don't do anything at all.  The only rules i've seen work so far are ones from the wan to lan with nat.
« Reply #3 on: August 20, 2009, 15:45:42 »
bassreflex *
Posts: 14
So no one else has any ideas?
« Last Edit: August 20, 2009, 15:48:24 by bassreflex »
« Reply #4 on: August 22, 2009, 02:04:14 »
gus *
Posts: 27
what order are the rules?  the block rule must be above the allow rule - rules are executed top down and when a rule is found that applies to the packet, it stops looking at the rest of the rules and passes the packet.
« Reply #5 on: August 22, 2009, 06:21:28 »
bassreflex *
Posts: 14
Thanks for the help gus.  You were correct.  I found out what was happening.  The firewall had an open state already and I did not give it enough time to clear that state before I started trying to ping again... therefore it gave the illusion the rule was not working.

So after the traffic stopped long enough to clear the state.  It cut it off completely.


Thanks for your help!
 
Pages: [1]
 
 
Powered by SMF 1.1.20 | SMF © 2013, Simple Machines